UK outsourcing giant Capita fined $19 million for ‘avoidable’ 2023 cyber breach

British outsourcing firm Capita has been hit with a massive £14 million (approximately $19 million) fine by the UK’s Information Commissioner’s Office (ICO) for severe security failures related to a cyber attack in March 2023. The breach led to hackers stealing the personal data of 6.6 million individuals, including sensitive information from pension and staff records.

The penalty, which Capita has agreed to pay as part of a voluntary settlement, sends a clear message to large corporations about the necessity of proactive cybersecurity measures.

Failure to respond and address known flaws

The ICO investigation identified numerous systemic failures that contributed to the breach, which saw hackers exfiltrate nearly one terabyte of data, including addresses, bank account details, and even details of criminal records and medical data.

The key failures cited by the ICO include:

• 58-hour delay to respond: The initial breach occurred when an employee unintentionally downloaded a malicious file. Capita’s system generated a high-priority security alert within 10 minutes, but the company shockingly failed to quarantine the infected device for 58 hours, far exceeding its one-hour target response time.

• Failure to prevent privilege escalation: The company had inadequate controls for administrative accounts, which allowed the attacker to easily escalate privileges and move laterally across multiple domains and compromise critical systems.

• Ignoring warnings: The ICO found that these security deficiencies were flagged as vulnerabilities on at least three separate occasions in penetration tests conducted prior to the attack, but were never remedied.

"Capita failed in its duty to protect the data entrusted to it by millions of people," said UK Information Commissioner John Edwards. "The scale of this breach and its impact could have been prevented had sufficient security measures been in place.

Fine reduced after negotiation

The ICO initially informed Capita of a provisional fine of £45 million. However, the final penalty of £14 million, split between Capita plc £8 million and Capita Pension Solutions Limited £6 million, was significantly reduced as part of a settlement.

The reduction was made in consideration of Capita’s post-incident remediation efforts, its cooperation with the authorities, and its decision to admit liability and not appeal the decision.

Capita, a major service provider for numerous government and corporate clients, said in a statement that it regretted the incident and had since "accelerated our cybersecurity transformation," with new leadership and significant investment to strengthen its security posture.